Re: [grpc-io] Python custom authentication
Sorry for the confusion. I create a PR to add documentation https://github.com/grpc/grpc/pull/19234. About the motivation, this behavior is enforced by gRPC C-Core. Core team decided to raise the security bar. Under insecure Channel, attackers can simply sniff your packets and steal your credentials, or simply re-play them. So, they think it would be better to prevent them in the first place. On Thursday, May 23, 2019 at 3:02:25 PM UTC-7, adul...@gmail.com wrote: > > Thank you for the response! > > And yes, later I also tried to create a secure channel with SSL certs > used. In that case, I was able to pass creds from the client and read them > on the server. Can't say that I understand the motivation for such > behavior... > > > On Thursday, May 23, 2019 at 9:24:37 AM UTC-7, Colin Versteeg wrote: >> >> My understanding is that GRPC is opinionated in this space - because the >> channel is insecure, it doesn't allow credentials to be sent, to limit >> MITM. >> >> I don't recall if it doesn't populate it on the request side, or just >> doesn't allow you to access it on the Server side. You can check which one >> by using Wireshark to inspect the communication to determine which. >> >> If you're trying to test locally and will eventually deploy with SSL, can >> use a self signed certificate with ssl_channel_credentials to test this, >> passing the cert as the root. >> Another option, if you really want to send credentials in plain-text, >> would be to just add the token as a random metadata field >> (stub.getAllSnippets(req, metadata=[("Authorization", "Token")]), and add >> an interceptor in your server which expects invocation_metadata. >> >> >> ------ >> *From:* grp...@googlegroups.com on behalf of >> adul...@gmail.com >> *Sent:* Wednesday, May 22, 2019 6:25 PM >> *To:* grpc.io >> *Subject:* [grpc-io] Python custom authentication >> >> >> What is the right way of passing the call credentials when using an >> insecure channel? >> >> I have this client code: >> >> channel = grpc.insecure_channel('localhost:50051') >> stub = snippets_pb2_grpc.SnippetsStub(channel) >> request = snippets_pb2.SnippetsRequest() >> code_snippets = stub.GetAllSnippets( >> request, >> credentials=access_token_call_credentials('my_token') >> ) >> >> With this, I can't access provided credentials on the server side. Tried >> both: * context.auth_content()* (returns empty dict) and >> *context.invocation_metadata()* (doesn't have any token keys). >> >> With the same result I've also tried to extend the *grpc.AuthMetadataPlugin >> *class and work this way: >> >> class UsernamePasswordCallCredentials(grpc.AuthMetadataPlugin): >> """Metadata wrapper for raw access token credentials.""" >> >> def __init__(self, username, password): >> self._username = username >> self._password = password >> >> def __call__(self, context, callback): >> basic_auth = "Basic %s" % base64.b64encode("%s:%s" % >> (self._username, self._password)) >> metadata = (('authorization', basic_auth),) >> callback(metadata, None) >> >> call_creds = >> metadata_call_credentials(UsernamePasswordCallCredentials('my_name', >> 'my_password')) >> >> >> channel = grpc.insecure_channel('localhost:50051') >> stub = snippets_pb2_grpc.SnippetsStub(channel) >> request = snippets_pb2.SnippetsRequest() >> code_snippets = stub.GetAllSnippets( >> request, >> credentials=call_creds >> ) >> >> -- >> You received this message because you are subscribed to the Google Groups >> "grpc.io" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to grp...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/grpc-io/83c57d08-50e3-4333-a53d-36921da2add1%40googlegroups.com >> >> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fgrpc-io%2F83c57d08-50e3-4333-a53d-36921da2add1%2540googlegroups.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=02%7C01%7Ccoverste%40microsoft.com%7Cb576b490aebd47fbe35208d6df1d8224%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636941715228991132&sdata=C2wV63LgJULu7GoIRkJ1KO3Cqi65pDk2ScjLAgSUFpM%3D&reserved=0> >> . >> > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/94204105-190f-403e-8a0a-e9a312538158%40googlegroups.com.
Re: [grpc-io] Python custom authentication
Thank you for the response! And yes, later I also tried to create a secure channel with SSL certs used. In that case, I was able to pass creds from the client and read them on the server. Can't say that I understand the motivation for such behavior... On Thursday, May 23, 2019 at 9:24:37 AM UTC-7, Colin Versteeg wrote: > > My understanding is that GRPC is opinionated in this space - because the > channel is insecure, it doesn't allow credentials to be sent, to limit > MITM. > > I don't recall if it doesn't populate it on the request side, or just > doesn't allow you to access it on the Server side. You can check which one > by using Wireshark to inspect the communication to determine which. > > If you're trying to test locally and will eventually deploy with SSL, can > use a self signed certificate with ssl_channel_credentials to test this, > passing the cert as the root. > Another option, if you really want to send credentials in plain-text, > would be to just add the token as a random metadata field > (stub.getAllSnippets(req, metadata=[("Authorization", "Token")]), and add > an interceptor in your server which expects invocation_metadata. > > > -- > *From:* grp...@googlegroups.com > on behalf of adul...@gmail.com < > adul...@gmail.com > > *Sent:* Wednesday, May 22, 2019 6:25 PM > *To:* grpc.io > *Subject:* [grpc-io] Python custom authentication > > > What is the right way of passing the call credentials when using an > insecure channel? > > I have this client code: > > channel = grpc.insecure_channel('localhost:50051') > stub = snippets_pb2_grpc.SnippetsStub(channel) > request = snippets_pb2.SnippetsRequest() > code_snippets = stub.GetAllSnippets( > request, > credentials=access_token_call_credentials('my_token') > ) > > With this, I can't access provided credentials on the server side. Tried > both: * context.auth_content()* (returns empty dict) and > *context.invocation_metadata()* (doesn't have any token keys). > > With the same result I've also tried to extend the *grpc.AuthMetadataPlugin > *class and work this way: > > class UsernamePasswordCallCredentials(grpc.AuthMetadataPlugin): > """Metadata wrapper for raw access token credentials.""" > > def __init__(self, username, password): > self._username = username > self._password = password > > def __call__(self, context, callback): > basic_auth = "Basic %s" % base64.b64encode("%s:%s" % > (self._username, self._password)) > metadata = (('authorization', basic_auth),) > callback(metadata, None) > > call_creds = > metadata_call_credentials(UsernamePasswordCallCredentials('my_name', > 'my_password')) > > > channel = grpc.insecure_channel('localhost:50051') > stub = snippets_pb2_grpc.SnippetsStub(channel) > request = snippets_pb2.SnippetsRequest() > code_snippets = stub.GetAllSnippets( > request, > credentials=call_creds > ) > > -- > You received this message because you are subscribed to the Google Groups " > grpc.io" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to grp...@googlegroups.com . > To view this discussion on the web visit > https://groups.google.com/d/msgid/grpc-io/83c57d08-50e3-4333-a53d-36921da2add1%40googlegroups.com > > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fgrpc-io%2F83c57d08-50e3-4333-a53d-36921da2add1%2540googlegroups.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=02%7C01%7Ccoverste%40microsoft.com%7Cb576b490aebd47fbe35208d6df1d8224%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636941715228991132&sdata=C2wV63LgJULu7GoIRkJ1KO3Cqi65pDk2ScjLAgSUFpM%3D&reserved=0> > . > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/72d4ce50-1129-403d-b572-2f2ced9b17d0%40googlegroups.com.
Re: [grpc-io] Python custom authentication
My understanding is that GRPC is opinionated in this space - because the channel is insecure, it doesn't allow credentials to be sent, to limit MITM. I don't recall if it doesn't populate it on the request side, or just doesn't allow you to access it on the Server side. You can check which one by using Wireshark to inspect the communication to determine which. If you're trying to test locally and will eventually deploy with SSL, can use a self signed certificate with ssl_channel_credentials to test this, passing the cert as the root. Another option, if you really want to send credentials in plain-text, would be to just add the token as a random metadata field (stub.getAllSnippets(req, metadata=[("Authorization", "Token")]), and add an interceptor in your server which expects invocation_metadata. From: grpc-io@googlegroups.com on behalf of adult...@gmail.com Sent: Wednesday, May 22, 2019 6:25 PM To: grpc.io Subject: [grpc-io] Python custom authentication What is the right way of passing the call credentials when using an insecure channel? I have this client code: channel = grpc.insecure_channel('localhost:50051') stub = snippets_pb2_grpc.SnippetsStub(channel) request = snippets_pb2.SnippetsRequest() code_snippets = stub.GetAllSnippets( request, credentials=access_token_call_credentials('my_token') ) With this, I can't access provided credentials on the server side. Tried both: context.auth_content() (returns empty dict) and context.invocation_metadata() (doesn't have any token keys). With the same result I've also tried to extend the grpc.AuthMetadataPlugin class and work this way: class UsernamePasswordCallCredentials(grpc.AuthMetadataPlugin): """Metadata wrapper for raw access token credentials.""" def __init__(self, username, password): self._username = username self._password = password def __call__(self, context, callback): basic_auth = "Basic %s" % base64.b64encode("%s:%s" % (self._username, self._password)) metadata = (('authorization', basic_auth),) callback(metadata, None) call_creds = metadata_call_credentials(UsernamePasswordCallCredentials('my_name', 'my_password')) channel = grpc.insecure_channel('localhost:50051') stub = snippets_pb2_grpc.SnippetsStub(channel) request = snippets_pb2.SnippetsRequest() code_snippets = stub.GetAllSnippets( request, credentials=call_creds ) -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com<mailto:grpc-io+unsubscr...@googlegroups.com>. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/83c57d08-50e3-4333-a53d-36921da2add1%40googlegroups.com<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fgrpc-io%2F83c57d08-50e3-4333-a53d-36921da2add1%2540googlegroups.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=02%7C01%7Ccoverste%40microsoft.com%7Cb576b490aebd47fbe35208d6df1d8224%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636941715228991132&sdata=C2wV63LgJULu7GoIRkJ1KO3Cqi65pDk2ScjLAgSUFpM%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/MWHPR2101MB08104C68DEA1D875A035CA2ECE010%40MWHPR2101MB0810.namprd21.prod.outlook.com.
[grpc-io] Python custom authentication
What is the right way of passing the call credentials when using an insecure channel? I have this client code: channel = grpc.insecure_channel('localhost:50051') stub = snippets_pb2_grpc.SnippetsStub(channel) request = snippets_pb2.SnippetsRequest() code_snippets = stub.GetAllSnippets( request, credentials=access_token_call_credentials('my_token') ) With this, I can't access provided credentials on the server side. Tried both: *context.auth_content()* (returns empty dict) and *context.invocation_metadata()* (doesn't have any token keys). With the same result I've also tried to extend the *grpc.AuthMetadataPlugin *class and work this way: class UsernamePasswordCallCredentials(grpc.AuthMetadataPlugin): """Metadata wrapper for raw access token credentials.""" def __init__(self, username, password): self._username = username self._password = password def __call__(self, context, callback): basic_auth = "Basic %s" % base64.b64encode("%s:%s" % (self._username, self._password)) metadata = (('authorization', basic_auth),) callback(metadata, None) call_creds = metadata_call_credentials(UsernamePasswordCallCredentials('my_name', 'my_password')) channel = grpc.insecure_channel('localhost:50051') stub = snippets_pb2_grpc.SnippetsStub(channel) request = snippets_pb2.SnippetsRequest() code_snippets = stub.GetAllSnippets( request, credentials=call_creds ) -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/83c57d08-50e3-4333-a53d-36921da2add1%40googlegroups.com.